我已经配置了 Keycloak 的本地实例,通过 Oauth2/OIDC 充当 Microsoft EntraID(以前称为 Azure Active Directory,它是实际的身份提供程序)的身份代理(一种代理)。
我已经成功获得了一个示例 Spring Boot 应用程序来通过此设置显示基本身份信息和角色。但是,它不会返回角色或组,默认角色和范围 ROLE_USER、ROLE_USER、SCOPE_email、SCOPE_openid、SCOPE_profile 除外。
我希望它返回我专门为用户配置的角色。这可能吗?
相关代码如下:
应用程序属性:
server.port=9080
spring.security.oauth2.client.registration.oauth2-demo-thymeleaf-client.client-id=azure-client-provider
spring.security.oauth2.client.registration.oauth2-demo-thymeleaf-client.client-secret=xxxx
spring.security.oauth2.client.registration.oauth2-demo-thymeleaf-client.scope=openid, profile, roles
spring.security.oauth2.client.registration.oauth2-demo-thymeleaf-client.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.oauth2-demo-thymeleaf-client.redirect-uri=http://localhost:9080/login/oauth2/code/azure-client-provider
spring.security.oauth2.client.provider.oauth2-demo-thymeleaf-client.issuer-uri=http://localhost:8180/realms/demoBroker
@RestController
public class RoleController {
@GetMapping("/roles")
public String printScopes(@AuthenticationPrincipal OAuth2User oauth2User) {
// Get the scopes from the OAuth2User object
StringBuilder htmlContent = new StringBuilder("<html><body><h2>User Information</h2>");
// Get user attributes
String userId = oauth2User.getName();
htmlContent.append("<p><strong>User ID:</strong> ").append(userId).append("</p>");
// Get and append all attributes
oauth2User.getAttributes().forEach((key, value) ->
htmlContent.append("<p><strong>").append(key).append(":</strong> ").append(value).append("</p>"));
htmlContent.append("</body></html>");
// Include user authorities (roles)
htmlContent.append("<p><strong>Authorities:</strong> ");
oauth2User.getAuthorities().forEach(authority ->
htmlContent.append(authority.getAuthority()).append(", "));
htmlContent.append("</p>");
System.out.println("User Info (HTML):\n" + htmlContent.toString());
return htmlContent.toString();
}
}
输出:
User Information
User ID: 60e9bd60-xxx
at_hash: gGDXPZxxx
sub: 60e9bdxxx
email_verified: false
iss: http://localhost:8180/realms/demoBroker
typ: ID
preferred_username: xxxxx
given_name: xxxxx
nonce: xxx
sid: xxxx
aud: [azure-client-provider]
acr: 0
azp: azure-client-provider
auth_time: 2024-03-09T15:27:45Z
name: xxxx
exp: 2024-03-09T15:45:25Z
session_state: fababa49-6ca7-42d5-911d-7379c6719bf6
family_name: xxxx
iat: 2024-03-09T15:40:25Z
email: [email protected]
jti: xxxx
Authorities: ROLE_USER, SCOPE_email, SCOPE_openid, SCOPE_profile,
它应该显示我分配给用户的一些角色,例如应用程序管理员等。
有什么想法吗?
通过
oauth2Login
,只需两个步骤即可将 EntraID 的角色作为 OAuth2 客户端中的 Spring Security 权限:
GrantedAuthoritiesMapper
bean
my starter 来代替第二步,它将根据您提供的应用程序属性(声明从中提取角色、可选前缀和您想要的大小写转换)为您配置权限映射器。